I know my company is testing something called "SSL Inspection" based on Websense, which is our proxy. I can not provide more detail about this, but does this mean that in principle all my SSL traffic, for example my web bank password or security PIN, could be actually read by WebSense ?

I'v already answered, but felt I should clarify something - are you asking if Websense (the makers of the monitoring tools) can read all your data, or if your employers can read all your data?
–
Graham HillJun 13 '12 at 12:41

1

Thanks, my concern is mainly with my employers. I also think that the users should be informed about this, even if I doubt it will be done in my company. Because, as you said it's like a "man in the middle" attack. If you don't inform me, I don't see really so much difference with respect to a "true" attack.
–
castigliJun 13 '12 at 21:21

2

Ah, but it's their computer and their network: they can do what they like with it.
–
Graham HillJun 14 '12 at 9:23

4

@GrahamHill, depending on the jurisdiction, the employee council must agree and the employees must be informed.
–
Hendrik BrummermannJun 15 '12 at 13:00

Yes, SSL Inspection is essentially a man-in-the-middle "attack" (except it's not really an attack since it's being done by the infrastructure owner) with the intention of being able to read all traffic originating from your company machine or crossing your company network, even if SSL is being used.

Consequently, you should not send anything from your company issue machine, or over your company network, that you do not want your corporate security team to read.

(Which is a good general rule in any case.)

Some other points to bear in mind:

A reasonable company will not care about your personal data.

An ethical security team will go to some lengths to avoid seeing personal data

A sensible company will have documented what they will and won't do - see what's been published.

There is a small but non-zero risk with any such system that a real attacker will compromise the monitoring system.

There are other methods available to a corporate security team for monitoring computer use - they can deploy keyloggers, for example.

If an organization has to implement a robust Data Loss Prevention system, they're going to have to look at everything - so even though they are implementing SSL Inspection it doesn't mean they have evil intent. Not much fun for their employees, of course, which is why transparency is so important.

When a company uses a proxy to inspect employees' ssl communication, they forge the target (e.g. your bank) certificate so that the employee thinks that he/she communicate with the bank but in actuality he/she communicates with the proxy and the proxy in turn comminicates with the bank. The proxy uses it own root certificate for the employee-proxy route.

When you try to login into your bank account from your company computer, the following takes place:

the login request uses the company's certificate to encrypt the message and send it to the proxy.

The proxy, after decryption and inspection (and this can be done since the certificate is generated by your IT dept and they naturally have the private key required for decryption), "repackages" the message and sends it to the bank.

During (2), the proxy returns to you the bank login page so you think that you are connected directly to the bank. You might see the lock icon, but this is a fake - it is generated by the proxy's certificate.

During the inspection phase, the company can read your login details in the clear.

However, you can still connect to your bank in a secure way:

If you use your own computer on a company network, then when you get the bank log-in page look at the actual certificate shown to you (normally by clicking on the lock icon), and compare its fingerprint to a fingerprint you got through another communication channel (e.g. collect beforehand the desired fingerprints at home and write them on a piece of paper). Fingerprints can not be spoofed by a proxy.

If you use company's computer, you may still want to compare fingerprints but remember that this is not your machine - the company might have installed all kinds of sniffing software/loggers. Don't do highly sensitive stuff on hardware + software that you don't fully control (trust issues of the OS or device drivers is a big subject for another discussion though...)